Researchers at cloud security startup Orca Security have publicly documented a pair of vulnerabilities in AWS CloudFormation and AWS Glue that attackers could use to leak sensitive files or access other customers’ data.
The first of the security flaws is described as an XML External Entity (XXE) error that could have been exploited to leak sensitive files stored in the CloudFormation service, as well as to disclose credentials for internal AWS infrastructure services.
CloudFormation is a service that helps users provision AWS resources using templates and to create and configure resources dynamically using API calls.
The XXE vulnerability could have allowed attackers to read files and perform HTTP requests on behalf of a compromised CloudFormation server, according to an advisory from Orca Security.
The host contained multiple AWS service binaries and various configuration files and an attacker could have leveraged the data (including credentials for internal endpoints) to bypass tenant boundaries and gain privileged access to any resource in AWS, the company warned.
The vulnerability was addressed on September 15, 2021, one week after Orca Security reported it to the AWS security response team.
Impacting the AWS Glue service, the second vulnerability could have been used to create resources and access the data belonging to other AWS Glue customers. The exploitation process, however, was complex and required multiple steps.
The issue could allow an attacker to obtain credentials providing them with full access to internal service API, and then leverage an internal misconfiguration in AWS Glue – a service helping users easily discover and combine data for analytics, application creation, and machine learning – to gain “unrestricted access to all resources for the service in the region, including full administrative privileges,” Orca Security explained.
Successful exploitation of the bug could have allowed an attacker to assume roles in AWS customer accounts trusted by the Glue service, and query and modify AWS Glue service-related resources.
“We are aware of an issue related to AWS Glue ETL and AWS CloudFormation and can confirm that no AWS customer accounts or data were affected. Upon learning of this matter from Orca Security, we took immediate action to mitigate it within hours and have added additional controls to the services to prevent any recurrence,” and AWS spokesperson told SecurityWeek in an emailed response to this article.
*Updated with comment from AWS